Fix namespaces_limits sometimes failing

The PID from `--info-fd` is red as soon as bwrap forks. This can result in user namespace acquired from it be either direct child namespace or have an intermediate parent user namespace. See containers/bubblewrap#634 Check the current process user namespace id to avoid calling `setns()` on a namespace process already is in. Also cleanup file descriptors after the `setns()`.
igo95862 · Jun 8, 2024 · eae3d58 · eae3d58
1 parent 6460bce
commit eae3d58
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/src/bubblejail/services.py b/src/bubblejail/services.py
@@ -1063,10 +1063,17 @@ def set_namespaces_limits(
         namespace_files_to_limits: dict[str, int],
     ) -> None:
         from lxns.namespaces import UserNamespace
-        target_namespace = UserNamespace.from_pid(pid)
-        parent_ns = target_namespace.get_user_namespace()
-        parent_ns.setns()
-        target_namespace.setns()
+
+        with (
+            UserNamespace.from_pid(pid) as target_namespace,
+            target_namespace.get_user_namespace() as parent_ns,
+        ):
+            if parent_ns.ns_id != UserNamespace.get_current_ns_id():
+                parent_ns.setns()
+            else:
+                print("Already in parent user namespace")
+
+            target_namespace.setns()
 
         for proc_file, limit_to_set in namespace_files_to_limits.items():
             with open("/proc/sys/user/" + proc_file, mode="w") as f: